<!--
UNIFIED REPORT TEMPLATE — llm-security v1.4.0

This single template replaces 9 separate report templates. Agents and commands
select which sections to include by setting ANALYSIS_TYPE.

SECTION ACTIVATION TABLE
========================
Section                    | scan | deep-scan | audit | posture | plugin-audit | mcp-audit | threat-model | pre-deploy | clean
========================== | ==== | ========= | ===== | ======= | ============ | ========= | ============ | ========== | =====
Header                     |  Y   |     Y     |   Y   |    Y    |      Y       |     Y     |      Y       |     Y      |   Y
Risk Dashboard             |  Y   |     Y     |   Y   |    Y    |      Y       |     Y     |      -       |     Y      |   Y
Executive Summary          |  Y   |     Y     |   Y   |    -    |      Y       |     Y     |      -       |     -      |   -
System Description         |  -   |     -     |   -   |    -    |      -       |     -     |      Y       |     -      |   -
Overall Score              |  -   |     -     |   -   |    Y    |      -       |     -     |      -       |     -      |   -
Remediation Summary        |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     -      |   Y
Findings by Severity       |  Y   |     -     |   Y   |    -    |      Y       |     -     |      -       |     -      |   -
Findings by OWASP          |  Y   |     Y     |   -   |    -    |      -       |     -     |      -       |     -      |   -
Supply Chain Assessment    |  Y   |     -     |   -   |    -    |      -       |     -     |      -       |     -      |   -
Scanner Breakdown          |  -   |     Y     |   -   |    -    |      -       |     -     |      -       |     -      |   -
Scanner Risk Matrix        |  -   |     Y     |   -   |    -    |      -       |     -     |      -       |     -      |   -
Methodology (scanners)     |  -   |     Y     |   -   |    -    |      -       |     -     |      -       |     -      |   -
Category Assessment        |  -   |     -     |   Y   |    -    |      -       |     -     |      -       |     -      |   -
Risk Matrix (L×I)          |  -   |     -     |   Y   |    -    |      -       |     -     |      -       |     -      |   -
Action Plan                |  -   |     -     |   Y   |    -    |      -       |     -     |      -       |     -      |   -
Positive Findings          |  -   |     -     |   Y   |    -    |      -       |     -     |      -       |     -      |   -
Category Scorecard         |  -   |     -     |   -   |    Y    |      -       |     -     |      -       |     -      |   -
Quick Wins                 |  -   |     -     |   -   |    Y    |      -       |     -     |      -       |     -      |   -
Baseline Comparison        |  -   |     -     |   -   |    Y    |      -       |     -     |      -       |     -      |   -
Plugin Metadata            |  -   |     -     |   -   |    -    |      Y       |     -     |      -       |     -      |   -
Component Inventory        |  -   |     -     |   -   |    -    |      Y       |     -     |      -       |     -      |   -
Permission Matrix          |  -   |     -     |   -   |    -    |      Y       |     -     |      -       |     -      |   -
Hook Safety                |  -   |     -     |   -   |    -    |      Y       |     -     |      -       |     -      |   -
Trust Verdict              |  -   |     -     |   -   |    -    |      Y       |     -     |      -       |     -      |   -
MCP Landscape              |  -   |     -     |   -   |    -    |      -       |     Y     |      -       |     -      |   -
Per-Server Analysis        |  -   |     -     |   -   |    -    |      -       |     Y     |      -       |     -      |   -
MCP Risk Assessment        |  -   |     -     |   -   |    -    |      -       |     Y     |      -       |     -      |   -
Keep/Review/Remove         |  -   |     -     |   -   |    -    |      -       |     Y     |      -       |     -      |   -
Architecture Overview      |  -   |     -     |   -   |    -    |      -       |     -     |      Y       |     -      |   -
MAESTRO Mapping            |  -   |     -     |   -   |    -    |      -       |     -     |      Y       |     -      |   -
Threat Catalog             |  -   |     -     |   -   |    -    |      -       |     -     |      Y       |     -      |   -
Threat Risk Matrix         |  -   |     -     |   -   |    -    |      -       |     -     |      Y       |     -      |   -
Mitigation Plan            |  -   |     -     |   -   |    -    |      -       |     -     |      Y       |     -      |   -
Residual Risk              |  -   |     -     |   -   |    -    |      -       |     -     |      Y       |     -      |   -
Automated Checks           |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     Y      |   -
Manual Verification        |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     Y      |   -
Deploy Verdict             |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     Y      |   -
Fix Log                    |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     -      |   Y
Auto/Semi-Auto/Manual      |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     -      |   Y
Validation                 |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     -      |   Y
Rollback                   |  -   |     -     |   -   |    -    |      -       |     -     |      -       |     -      |   Y
Recommendations            |  Y   |     Y     |   -   |    Y    |      Y       |     -     |      -       |     Y      |   -
Footer                     |  Y   |     Y     |   Y   |    Y    |      Y       |     Y     |      Y       |     Y      |   Y

RISK SCORING (v2 — severity-dominated, log-scaled, v7.0.0+)
  See scanners/lib/severity.mjs riskScore(), verdict(), riskBand() —
  this comment block is reference only; severity.mjs is authoritative.

  Tiers (riskScore):
    critical >= 1 → 70-95 (1=80, 2=86, 4=93, 10=95)
    high only     → 40-65 (1=48, 5=60, 17=65)
    medium only   → 15-35 (1=20, 5=28, 50=33)
    low only      → 1-11  (1=4, 10=11)
    none          → 0

  Bands (riskBand): 0-14 Low, 15-39 Medium, 40-64 High, 65-84 Critical, 85-100 Extreme

  Verdict: BLOCK if critical>=1 OR score>=65
           WARNING if high>=1 OR score>=15
           ALLOW otherwise

  Grade (gradeFromPassRate, posture/audit only):
    A: pass_rate >= 0.89 AND zero FAIL in cat 1,2,5 AND zero Critical
    B: pass_rate >= 0.72 AND zero Critical
    C: pass_rate >= 0.56
    D: pass_rate >= 0.33
    F: pass_rate < 0.33 OR 3+ Critical

FINDING CATEGORIES
  Secrets, Injection, Permissions, Supply Chain, MCP Trust,
  Destructive, Output Handling, Other

SEVERITY CLASSIFICATION
  Critical — Active threat, immediate exploitation risk
  High     — Significant risk, exploitation likely without mitigation
  Medium   — Meaningful risk, requires attention
  Low      — Informational or best-practice gap
  Info     — Observation, no immediate risk
-->

# {{REPORT_TITLE}}

---

## Header

| Field | Value |
|-------|-------|
| **Report type** | {{ANALYSIS_TYPE}} |
| **Target** | {{TARGET}} |
| **Date** | {{DATE}} |
| **Version** | llm-security v{{VERSION}} |
| **Scope** | {{SCOPE}} |
| **Frameworks** | {{FRAMEWORKS}} |
| **Triggered by** | {{TRIGGER_COMMAND}} |

---

<!-- SECTION: Risk Dashboard — all types except threat-model -->

## Risk Dashboard

| Metric | Value |
|--------|-------|
| **Risk Score** | {{RISK_SCORE}}/100 |
| **Risk Band** | {{RISK_BAND}} |
| **Grade** | {{GRADE}} |
| **Verdict** | {{VERDICT}} |

| Severity | Count |
|----------|------:|
| Critical | {{CRITICAL}} |
| High | {{HIGH}} |
| Medium | {{MEDIUM}} |
| Low | {{LOW}} |
| Info | {{INFO}} |
| **Total** | **{{TOTAL_FINDINGS}}** |

**Verdict rationale:** {{VERDICT_RATIONALE}}

---

<!-- SECTION: Executive Summary — scan, deep-scan, audit, plugin-audit, mcp-audit -->

## Executive Summary

{{EXECUTIVE_SUMMARY}}

<!-- SECTION: Narrative Audit — scan, deep-scan, plugin-audit (transparency only — does NOT adjust verdict) -->

### Narrative Audit

**Suppressed signals:** {{SUPPRESSED_FINDINGS_COUNT}} ({{SUPPRESSED_FINDINGS_BREAKDOWN}})

> Per `summary.narrative_audit.suppressed_findings`. Suppressed signals
> are raw extractor matches (entropy, frontmatter, taint) that the agent
> downgraded after context evaluation (e.g., GLSL keywords, framework
> env-var references, animation markup, SVG inline data URIs). They do
> NOT appear in the Findings sections and do NOT affect risk_score or
> verdict. The category breakdown is for reviewer transparency only.

---

<!-- SECTION: System Description — threat-model only -->

## System Description

{{SYSTEM_DESCRIPTION}}

---

<!-- SECTION: Overall Score — posture only -->

## Overall Score

**{{POSTURE_SCORE}} / {{POSTURE_APPLICABLE}} categories covered (Grade {{GRADE}})**

```
{{PROGRESS_BAR}}
```

**Risk Score:** {{RISK_SCORE}}/100 ({{RISK_BAND}})

**Verdict:** {{POSTURE_VERDICT}}

---

<!-- SECTION: Remediation Summary — clean only -->

## Remediation Summary

> [!{{VERDICT_TYPE}}]
> **Pre-clean:** {{PRE_VERDICT}} ({{PRE_RISK_SCORE}}/100, {{PRE_RISK_BAND}}) — {{PRE_TOTAL_FINDINGS}} findings
> **Post-clean:** {{POST_VERDICT}} ({{POST_RISK_SCORE}}/100, {{POST_RISK_BAND}}) — {{POST_TOTAL_FINDINGS}} findings
> **Risk reduction:** {{RISK_REDUCTION}}%

| Metric | Before | After | Delta |
|--------|--------|-------|-------|
| Risk Score | {{PRE_RISK_SCORE}} | {{POST_RISK_SCORE}} | {{RISK_DELTA}} |
| Total Findings | {{PRE_TOTAL_FINDINGS}} | {{POST_TOTAL_FINDINGS}} | {{FINDINGS_DELTA}} |
| Critical | {{PRE_CRITICAL}} | {{POST_CRITICAL}} | {{CRITICAL_DELTA}} |
| High | {{PRE_HIGH}} | {{POST_HIGH}} | {{HIGH_DELTA}} |
| Medium | {{PRE_MEDIUM}} | {{POST_MEDIUM}} | {{MEDIUM_DELTA}} |
| Low | {{PRE_LOW}} | {{POST_LOW}} | {{LOW_DELTA}} |

---

<!-- SECTION: Findings by Severity — scan, audit, plugin-audit -->

## Findings

Findings sorted Critical → High → Medium → Low → Info.
Finding IDs: `SCN-NNN` (LLM agent) or `DS-XXX-NNN` (deterministic scanner).

### Critical

| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| {{FINDING_ROW}} |

**{{FINDING_ID}} Detail**
- **Severity:** Critical
- **Category:** {{CATEGORY}}
- **File:** {{FILE}}
- **Line(s):** {{LINE}}
- **OWASP:** {{OWASP_REF}}
- **Description:** {{DESCRIPTION}}
- **Evidence:** {{EVIDENCE}}
- **Remediation:** {{REMEDIATION}}

### High

> Omit if empty.

### Medium

> Omit if empty.

### Low / Info

> Omit if empty.

---

<!-- SECTION: Findings by OWASP — scan, deep-scan -->

## OWASP Categorization

| OWASP Category | Findings | Max Severity | Scanners |
|----------------|----------|-------------|----------|
| LLM01 — Prompt Injection | {{LLM01_COUNT}} | {{LLM01_MAX}} | {{LLM01_SCANNERS}} |
| LLM02 — Sensitive Info Disclosure | {{LLM02_COUNT}} | {{LLM02_MAX}} | {{LLM02_SCANNERS}} |
| LLM03 — Supply Chain | {{LLM03_COUNT}} | {{LLM03_MAX}} | {{LLM03_SCANNERS}} |
| LLM06 — Excessive Agency | {{LLM06_COUNT}} | {{LLM06_MAX}} | {{LLM06_SCANNERS}} |

---

<!-- SECTION: Supply Chain Assessment — scan only -->

## Supply Chain Assessment

| Component | Type | Source | Trust Score | Notes |
|-----------|------|--------|-------------|-------|
| {{SUPPLY_CHAIN_ROW}} |

**Source verification:** {{SOURCE_VERIFICATION}}

**Permissions analysis:**
- Requested tools: {{REQUESTED_TOOLS}}
- Minimum necessary: {{MIN_TOOLS}}
- Over-permissioned: {{OVER_PERMISSIONED}}

**Supply chain risk summary:** {{SUPPLY_CHAIN_SUMMARY}}

---

<!-- SECTION: Scanner Breakdown — deep-scan only -->

## Scanner Results

### 1. Unicode Analysis (UNI)
**Status:** {{UNI_STATUS}} | **Files:** {{UNI_FILES}} | **Findings:** {{UNI_FINDINGS}} | **Time:** {{UNI_DURATION}}ms

{{UNI_DETAILS}}

### 2. Entropy Analysis (ENT)
**Status:** {{ENT_STATUS}} | **Files:** {{ENT_FILES}} | **Findings:** {{ENT_FINDINGS}} | **Time:** {{ENT_DURATION}}ms

{{ENT_DETAILS}}

### 3. Permission Mapping (PRM)
**Status:** {{PRM_STATUS}} | **Files:** {{PRM_FILES}} | **Findings:** {{PRM_FINDINGS}} | **Time:** {{PRM_DURATION}}ms

{{PRM_DETAILS}}

### 4. Dependency Audit (DEP)
**Status:** {{DEP_STATUS}} | **Files:** {{DEP_FILES}} | **Findings:** {{DEP_FINDINGS}} | **Time:** {{DEP_DURATION}}ms

{{DEP_DETAILS}}

### 5. Taint Tracing (TNT)
**Status:** {{TNT_STATUS}} | **Files:** {{TNT_FILES}} | **Findings:** {{TNT_FINDINGS}} | **Time:** {{TNT_DURATION}}ms

{{TNT_DETAILS}}

### 6. Git Forensics (GIT)
**Status:** {{GIT_STATUS}} | **Files:** {{GIT_FILES}} | **Findings:** {{GIT_FINDINGS}} | **Time:** {{GIT_DURATION}}ms

{{GIT_DETAILS}}

### 7. Network Mapping (NET)
**Status:** {{NET_STATUS}} | **Files:** {{NET_FILES}} | **Findings:** {{NET_FINDINGS}} | **Time:** {{NET_DURATION}}ms

{{NET_DETAILS}}

---

<!-- SECTION: Scanner Risk Matrix — deep-scan only -->

## Scanner Risk Matrix

| Scanner | CRITICAL | HIGH | MEDIUM | LOW | INFO |
|---------|----------|------|--------|-----|------|
| Unicode (UNI) | {{UNI_C}} | {{UNI_H}} | {{UNI_M}} | {{UNI_L}} | {{UNI_I}} |
| Entropy (ENT) | {{ENT_C}} | {{ENT_H}} | {{ENT_M}} | {{ENT_L}} | {{ENT_I}} |
| Permission (PRM) | {{PRM_C}} | {{PRM_H}} | {{PRM_M}} | {{PRM_L}} | {{PRM_I}} |
| Dependency (DEP) | {{DEP_C}} | {{DEP_H}} | {{DEP_M}} | {{DEP_L}} | {{DEP_I}} |
| Taint (TNT) | {{TNT_C}} | {{TNT_H}} | {{TNT_M}} | {{TNT_L}} | {{TNT_I}} |
| Git (GIT) | {{GIT_C}} | {{GIT_H}} | {{GIT_M}} | {{GIT_L}} | {{GIT_I}} |
| Network (NET) | {{NET_C}} | {{NET_H}} | {{NET_M}} | {{NET_L}} | {{NET_I}} |
| **TOTAL** | **{{CRITICAL}}** | **{{HIGH}}** | **{{MEDIUM}}** | **{{LOW}}** | **{{INFO}}** |

---

<!-- SECTION: Methodology — deep-scan only -->

## Methodology

7 deterministic Node.js scanners (zero external dependencies). Results are factual and reproducible.

| Scanner | Algorithm | Limitations |
|---------|-----------|-------------|
| Unicode | Codepoint iteration, Tag decoding | None — deterministic |
| Entropy | Shannon H per string literal | FP on knowledge files, data URIs |
| Permission | Frontmatter parsing, cross-reference | Claude Code plugins only |
| Dependency | npm/pip audit, Levenshtein | Requires package manager CLI |
| Taint | Regex variable tracking, 3-pass | ~70% recall, no AST, no cross-file |
| Git | History analysis, reflog, diff | Max 500 commits, 15s timeout |
| Network | URL extraction, DNS resolution | Max 50 DNS lookups, 3s timeout |

---

<!-- SECTION: Category Assessment — audit only -->

## Category Assessment

### Category 1 — Deny-First Configuration

| Status | {{CAT1_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT1_EVIDENCE}}

**Recommendations:**
{{CAT1_RECOMMENDATIONS}}

---

### Category 2 — Secrets Protection

| Status | {{CAT2_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT2_EVIDENCE}}

**Recommendations:**
{{CAT2_RECOMMENDATIONS}}

---

### Category 3 — Path Guarding

| Status | {{CAT3_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT3_EVIDENCE}}

**Recommendations:**
{{CAT3_RECOMMENDATIONS}}

---

### Category 4 — MCP Server Trust

| Status | {{CAT4_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT4_EVIDENCE}}

**Recommendations:**
{{CAT4_RECOMMENDATIONS}}

---

### Category 5 — Destructive Command Blocking

| Status | {{CAT5_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT5_EVIDENCE}}

**Recommendations:**
{{CAT5_RECOMMENDATIONS}}

---

### Category 6 — Sandbox Configuration

| Status | {{CAT6_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT6_EVIDENCE}}

**Recommendations:**
{{CAT6_RECOMMENDATIONS}}

---

### Category 7 — Human Review Requirements

| Status | {{CAT7_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT7_EVIDENCE}}

**Recommendations:**
{{CAT7_RECOMMENDATIONS}}

---

### Category 8 — Skill and Plugin Sources

| Status | {{CAT8_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT8_EVIDENCE}}

**Recommendations:**
{{CAT8_RECOMMENDATIONS}}

---

### Category 9 — Session Isolation

| Status | {{CAT9_STATUS}} |
|--------|----------------|

**Evidence:**
{{CAT9_EVIDENCE}}

**Recommendations:**
{{CAT9_RECOMMENDATIONS}}

---

<!-- SECTION: Risk Matrix (L×I) — audit only -->

## Risk Matrix

```
              LIKELIHOOD
              Low          Medium       High
         +------------+------------+------------+
  High   |            |            |            |
IMPACT   +------------+------------+------------+
  Med    |            |            |            |
         +------------+------------+------------+
  Low    |            |            |            |
         +------------+------------+------------+
```

---

<!-- SECTION: Action Plan — audit only -->

## Prioritized Action Plan

| # | Priority | Action | Finding | Effort | Risk if Deferred |
|---|----------|--------|---------|--------|------------------|
| {{ACTION_ROWS}} |

---

<!-- SECTION: Positive Findings — audit only -->

## Positive Findings

- **{{CONTROL_NAME}}** — {{CONTROL_DESCRIPTION}}

---

<!-- SECTION: Category Scorecard — posture only -->

## Category Scorecard

| # | Category | Status | Notes |
|---|----------|--------|-------|
| 1 | Deny-First Configuration | {{CAT1_INDICATOR}} | {{CAT1_NOTES}} |
| 2 | Secrets Protection | {{CAT2_INDICATOR}} | {{CAT2_NOTES}} |
| 3 | Path Guarding | {{CAT3_INDICATOR}} | {{CAT3_NOTES}} |
| 4 | MCP Server Trust | {{CAT4_INDICATOR}} | {{CAT4_NOTES}} |
| 5 | Destructive Command Blocking | {{CAT5_INDICATOR}} | {{CAT5_NOTES}} |
| 6 | Sandbox Configuration | {{CAT6_INDICATOR}} | {{CAT6_NOTES}} |
| 7 | Human Review Requirements | {{CAT7_INDICATOR}} | {{CAT7_NOTES}} |
| 8 | Skill and Plugin Sources | {{CAT8_INDICATOR}} | {{CAT8_NOTES}} |
| 9 | Session Isolation | {{CAT9_INDICATOR}} | {{CAT9_NOTES}} |

Status indicators: COVERED / PARTIAL / GAP / N/A

### Category Detail

{{CATEGORY_DETAIL}}

---

<!-- SECTION: Quick Wins — posture only -->

## Quick Wins

- [ ] {{QUICK_WIN}}

> If none: "No quick wins identified — improvements require architectural changes."

---

<!-- SECTION: Baseline Comparison — posture only -->

## Baseline Comparison

| Category | Fully Secured | This Project |
|----------|--------------|--------------|
| Deny-First Configuration | `defaultPermissionLevel: deny` | {{CAT1_CURRENT}} |
| Secrets Protection | Hook active + .env gitignored + no secrets | {{CAT2_CURRENT}} |
| Path Guarding | `pre-write-pathguard` blocks sensitive paths | {{CAT3_CURRENT}} |
| MCP Server Trust | All verified, minimal scope, auth required | {{CAT4_CURRENT}} |
| Destructive Command Blocking | `pre-bash-destructive` with comprehensive patterns | {{CAT5_CURRENT}} |
| Sandbox Configuration | Network/filesystem scoped to project | {{CAT6_CURRENT}} |
| Human Review Requirements | Confirmation gates on irreversible operations | {{CAT7_CURRENT}} |
| Skill and Plugin Sources | All verified sources, minimal permissions | {{CAT8_CURRENT}} |
| Session Isolation | No cross-session leakage, minimal context | {{CAT9_CURRENT}} |

**Gap summary:** {{GAP_SUMMARY}}

---

<!-- SECTION: Plugin Metadata — plugin-audit only -->

## Plugin Metadata

| Field | Value |
|-------|-------|
| **Plugin** | {{PLUGIN_NAME}} |
| **Version** | {{PLUGIN_VERSION}} |
| **Author** | {{PLUGIN_AUTHOR}} |
| **Path** | {{PLUGIN_PATH}} |
| **Auto-discover** | {{AUTO_DISCOVER}} |
| **Commands** | {{CMD_COUNT}} |
| **Agents** | {{AGENT_COUNT}} |
| **Hook events** | {{HOOK_EVENT_COUNT}} |
| **Skills** | {{SKILL_COUNT}} |
| **Knowledge files** | {{KB_COUNT}} ({{KB_LINES}} lines) |
| **Templates** | {{TEMPLATE_COUNT}} |
| **Total files** | {{TOTAL_FILE_COUNT}} |

---

<!-- SECTION: Component Inventory — plugin-audit only -->

## Component Inventory

### Commands

| Name | Allowed Tools | Model | Flags |
|------|---------------|-------|-------|
| {{CMD_ROWS}} |

### Agents

| Name | Tools | Model | Flags |
|------|-------|-------|-------|
| {{AGENT_ROWS}} |

### Hooks

| Event | Matcher | Script | Behavior | Flags |
|-------|---------|--------|----------|-------|
| {{HOOK_ROWS}} |

### Skills

| Name | Reference Files |
|------|----------------|
| {{SKILL_ROWS}} |

---

<!-- SECTION: Permission Matrix — plugin-audit only -->

## Permission Matrix

| Tool | Granted to | Risk Level | Justification Needed |
|------|-----------|------------|---------------------|
| {{PERMISSION_ROWS}} |

**Permission flags:**

| Flag | Components | Assessment |
|------|-----------|------------|
| {{FLAG_ROWS}} |

---

<!-- SECTION: Hook Safety — plugin-audit only -->

## Hook Safety Analysis

**Events intercepted:** {{HOOK_EVENTS}}

| Category | Count | Assessment |
|----------|-------|------------|
| Block hooks | {{BLOCK_HOOKS}} | {{BLOCK_ASSESSMENT}} |
| Warn hooks | {{WARN_HOOKS}} | {{WARN_ASSESSMENT}} |
| State-modifying | {{STATE_HOOKS}} | {{STATE_ASSESSMENT}} |
| Network-calling | {{NET_HOOKS}} | {{NET_ASSESSMENT}} |
| SessionStart | {{SESSION_HOOKS}} | {{SESSION_ASSESSMENT}} |

**Script analysis:**
{{SCRIPT_ANALYSIS}}

---

<!-- SECTION: Trust Verdict — plugin-audit only -->

## Trust Verdict

**Verdict: {{TRUST_VERDICT}}**

| Criterion | Status |
|-----------|--------|
| Zero Critical findings | {{CRIT_CHECK}} |
| Zero High findings | {{HIGH_CHECK}} |
| All hooks transparent | {{HOOK_CHECK}} |
| No state-modifying hooks | {{STATE_CHECK}} |
| No network-calling hooks | {{NET_CHECK}} |
| Permissions justified | {{PERM_CHECK}} |
| No exfiltration patterns | {{EXFIL_CHECK}} |
| No persistence mechanisms | {{PERSIST_CHECK}} |
| No hidden instructions | {{HIDDEN_CHECK}} |

**Verdict rationale:** {{TRUST_RATIONALE}}

---

<!-- SECTION: MCP Landscape — mcp-audit only -->

## MCP Landscape Summary

| Server | Source | Transport | Trust Rating | Critical | High | Medium | Low |
|--------|--------|-----------|--------------|----------|------|--------|-----|
| {{MCP_LANDSCAPE_ROWS}} |

**Overall MCP Risk:** {{MCP_RISK}}

---

<!-- SECTION: Per-Server Analysis — mcp-audit only -->

## Per-Server Analysis

### Server: `{{SERVER_NAME}}`

| Field | Value |
|-------|-------|
| **Transport** | {{TRANSPORT}} |
| **Command/URL** | {{SERVER_CMD}} |
| **Source** | {{SERVER_SOURCE}} |
| **Trust Rating** | {{TRUST_RATING}} |

**Findings:**

| # | Severity | Category | Description | OWASP |
|---|----------|----------|-------------|-------|
| {{SERVER_FINDING_ROWS}} |

**Evidence:**
```
{{SERVER_EVIDENCE}}
```

**Recommendations:**
{{SERVER_RECOMMENDATIONS}}

---

<!-- SECTION: MCP Risk Assessment — mcp-audit only -->

## Overall MCP Risk Assessment

**Risk Rating: {{MCP_RISK}}**

| Criterion | Description |
|-----------|-------------|
| Low | All servers Trusted/Cautious, no High+ findings |
| Medium | Cautious servers with High findings |
| High | Untrusted servers present |
| Critical | Any Dangerous server |

---

<!-- SECTION: Keep/Review/Remove — mcp-audit only -->

## MCP Recommendations

### Keep
{{MCP_KEEP}}

### Review
{{MCP_REVIEW}}

### Remove
{{MCP_REMOVE}}

---

<!-- SECTION: Architecture Overview — threat-model only -->

## Architecture Overview

{{ARCHITECTURE_DIAGRAM}}

---

<!-- SECTION: MAESTRO Mapping — threat-model only -->

## MAESTRO Layer Mapping

| Layer | Components Present | Attack Surface Rating |
|-------|-------------------|----------------------|
| L1 Foundation Models | {{L1_COMPONENTS}} | {{L1_RATING}} |
| L2 Data and Knowledge | {{L2_COMPONENTS}} | {{L2_RATING}} |
| L3 Agent Frameworks | {{L3_COMPONENTS}} | {{L3_RATING}} |
| L4 Tool Integration | {{L4_COMPONENTS}} | {{L4_RATING}} |
| L5 Agent Capabilities | {{L5_COMPONENTS}} | {{L5_RATING}} |
| L6 Multi-Agent Systems | {{L6_COMPONENTS}} | {{L6_RATING}} |
| L7 Ecosystem | {{L7_COMPONENTS}} | {{L7_RATING}} |

---

<!-- SECTION: Threat Catalog — threat-model only -->

## Threat Catalog

### Layer {{LAYER_NUM}} — {{LAYER_NAME}}

#### Threat {{THREAT_ID}}: {{THREAT_TITLE}}

| Field | Value |
|-------|-------|
| STRIDE | {{STRIDE_CAT}} |
| OWASP | {{THREAT_OWASP}} |
| Likelihood | {{LIKELIHOOD}} — {{LIKELIHOOD_RATIONALE}} |
| Impact | {{IMPACT}} — {{IMPACT_RATIONALE}} |
| Risk Score | {{THREAT_RISK_SCORE}} — {{THREAT_PRIORITY}} |
| Wild Exploitation | {{WILD_STATUS}} |

**Attack scenario:** {{ATTACK_SCENARIO}}

**Current control status:** {{CONTROL_STATUS}}

**Recommendation:** {{THREAT_RECOMMENDATION}}

---

<!-- SECTION: Threat Risk Matrix — threat-model only -->

## Threat Risk Matrix

| Threat | Layer | STRIDE | OWASP | Score | Priority |
|--------|-------|--------|-------|-------|----------|
| {{THREAT_MATRIX_ROWS}} |

---

<!-- SECTION: Mitigation Plan — threat-model only -->

## Mitigation Plan

### Critical and High Priority Actions

| # | Threat | Action | Control Type | Effort |
|---|--------|--------|-------------|--------|
| {{MITIGATION_ROWS}} |

### Already Mitigated

| Threat | Control | Evidence |
|--------|---------|---------|
| {{MITIGATED_ROWS}} |

### Accepted Risks

| Threat | Rationale | Owner |
|--------|-----------|-------|
| {{ACCEPTED_ROWS}} |

---

<!-- SECTION: Residual Risk — threat-model only -->

## Residual Risk Summary

{{RESIDUAL_RISK_SUMMARY}}

**Coverage:** {{THREAT_COUNT}} threats across {{LAYER_COUNT}} MAESTRO layers.
**Critical:** {{THREAT_CRIT}} | **High:** {{THREAT_HIGH}} | **Medium:** {{THREAT_MED}} | **Low:** {{THREAT_LOW}}

---

<!-- SECTION: Automated Checks — pre-deploy only -->

## Automated Checks

**Passed: {{PASS_COUNT}}/10**

```
{{CHECK_PROGRESS_BAR}}
```

| # | Check | Status | Detail |
|---|-------|--------|--------|
| 1 | Deny-first permissions | {{CHK1_STATUS}} | {{CHK1_DETAIL}} |
| 2 | Secrets hook active | {{CHK2_STATUS}} | {{CHK2_DETAIL}} |
| 3 | Path guard active | {{CHK3_STATUS}} | {{CHK3_DETAIL}} |
| 4 | Destructive command guard | {{CHK4_STATUS}} | {{CHK4_DETAIL}} |
| 5 | MCP servers verified | {{CHK5_STATUS}} | {{CHK5_DETAIL}} |
| 6 | No hardcoded secrets | {{CHK6_STATUS}} | {{CHK6_DETAIL}} |
| 7 | .gitignore covers secrets | {{CHK7_STATUS}} | {{CHK7_DETAIL}} |
| 8 | CLAUDE.md security docs | {{CHK8_STATUS}} | {{CHK8_DETAIL}} |
| 9 | Sandbox enabled | {{CHK9_STATUS}} | {{CHK9_DETAIL}} |
| 10 | Audit logging configured | {{CHK10_STATUS}} | {{CHK10_DETAIL}} |

---

<!-- SECTION: Manual Verification — pre-deploy only -->

## Manual Verification

- [ ] **Enterprise plan:** {{ENTERPRISE_ANSWER}}
- [ ] **DPIA completed:** {{DPIA_ANSWER}}
- [ ] **Incident response plan:** {{IRP_ANSWER}}

---

<!-- SECTION: Deploy Verdict — pre-deploy only -->

## Deploy Verdict

**{{DEPLOY_VERDICT}}** ({{DEPLOY_RISK_BAND}})

| Pass Count | Risk Band | Verdict |
|-----------|-----------|---------|
| 10/10 | Low | Ready for deployment |
| 8-9/10 | Medium | Nearly ready |
| 6-7/10 | High | Significant gaps |
| 4-5/10 | Critical | Not ready |
| 0-3/10 | Extreme | Deployment blocked |

---

<!-- SECTION: Fix Log — clean only -->

## Fix Summary

| Category | Count |
|----------|-------|
| Auto-fixes applied | {{AUTO_APPLIED}} |
| Semi-auto approved | {{SEMI_APPROVED}} |
| Semi-auto skipped | {{SEMI_SKIPPED}} |
| LLM auto-fixes | {{LLM_AUTO_APPLIED}} |
| LLM semi-auto approved | {{LLM_SEMI_APPROVED}} |
| Manual (reported only) | {{MANUAL_COUNT}} |
| Skipped (historical) | {{HISTORICAL_COUNT}} |
| Failed | {{FAILED_COUNT}} |
| **Total processed** | **{{TOTAL_PROCESSED}}** |

---

<!-- SECTION: Auto/Semi-Auto/Manual — clean only -->

## Auto-Fixes Applied

| Finding ID | File | Operation | Description |
|------------|------|-----------|-------------|
| {{AUTO_FIXES_ROWS}} |

## Semi-Auto Fixes Applied

| Finding ID | File | Change Description | Rationale |
|------------|------|-------------------|-----------|
| {{SEMI_AUTO_APPLIED_ROWS}} |

## Semi-Auto Fixes Skipped

| Finding ID | Proposed Change | User Decision |
|------------|----------------|---------------|
| {{SEMI_AUTO_SKIPPED_ROWS}} |

## Remaining Manual Findings

| Finding ID | Severity | File | Description | Recommendation |
|------------|----------|------|-------------|----------------|
| {{MANUAL_FINDINGS_ROWS}} |

## Skipped (Historical)

| Finding ID | Severity | Commit | Description |
|------------|----------|--------|-------------|
| {{HISTORICAL_ROWS}} |

---

<!-- SECTION: Validation — clean only -->

## Validation Results

| File | Check | Result | Detail |
|------|-------|--------|--------|
| {{VALIDATION_ROWS}} |

## File Modification Log

| File Path | Operations | Validation |
|-----------|-----------|------------|
| {{FILE_MOD_ROWS}} |

---

<!-- SECTION: Rollback — clean only -->

## Rollback

To restore the original (pre-clean) state:

```bash
rm -rf {{TARGET}}
mv {{BACKUP_PATH}} {{TARGET}}
```

> The backup will be removed when you next run `/security clean` on this target.

---

<!-- SECTION: Recommendations — scan, deep-scan, posture, plugin-audit, pre-deploy -->

## Recommendations

| Priority | Finding ID(s) | Action | Effort |
|----------|---------------|--------|--------|
| {{RECOMMENDATION_ROWS}} |

**Quick wins (< 5 min):** {{QUICK_WINS_LIST}}

---

## Footer

| Field | Value |
|-------|-------|
| llm-security version | {{VERSION}} |
| Assessment engine | {{ENGINE}} |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Report generated | {{TIMESTAMP}} |

---

*Generated by llm-security v{{VERSION}}*